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1. INTRODUCTION 

The use of mobile platforms to date is increasingly being used in application development. With so 
many applications that are customized in such a way, there is the possibility of a significant security risk to 
the application. Abundant features and rich functionalities have the opportunity to have sensitive data from 
application users stolen by attackers [1]. The development of smartphone technology and increasing internet 
activity have made digital data more diverse. Photos, videos, text, IP addresses, cookies in the browser, and 
global positioning system (GPS) coordinates are digital data types [2]. For example, attackers' data is taken if 
the application is not designed correctly from a security point of view name, places of birth, addresses, and 
telephone numbers. Examples of vulnerabilities that can occur, for example, applications that are designed 
not to pay attention to the encryption of user data, the possibility that can happen is that user data is stolen 
when users use connections on public Wi-Fi, attackers can easily snoop on the data that users send [3]. 

According to the announcement of the Cyber Operation Security Center for the Indonesian National 
Cyber and Crypto Agency, during 2019, the point-of-view monitoring system detected around 290.3 million 
cyberattacks (intrusions) into the Indonesian internet network. The largest was a data leak test attack, 
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followed by malware attacks. Compared to many cyber-attacks, the number of public complaints regarding 
incidents that occur is relatively minimal; cyber-attacks spiked sharply in September, October and decreased 
sharply in November. In November and December, this figure is still much higher than the first six months of 
2019 [4]. 

The fact that is happening today, fraud is a type of digital crime that often occurs compared to 
physical fraud. Cyber-attacks are a threat to large and small companies. According to a report from the 
federal bureau of investigation (FBI) internet crime report, the estimated loss from digital crime in 2020 
alone is nearly 40 billion [5]. 

Cyber-attacks or digital attacks occur on small companies because usually, small companies do not 
have a high-security infrastructure like large companies. However, it is possible that large companies can 
also become targets of cyberattacks. The more data large companies have the more profits cybercriminals 
will get. That puts the company at legal risk if customer information is leaked due to the company's 
negligence. In addition, the leakage of personal data will reduce customer trust or disappear altogether [6]. 

Security in the use of application data has become a major concern of the user it self [7]. Users feel 
worried about the vulnerabilities in the application that can cause losses to users. For example, the existence 
of malicious code that allows user activity tracked and sensitive data theft. At least about 52% of users 
remove applications and 40% of these qualities stop using it because of the user data privacy security 
problem [8]. This is a challenge for application developers to have to pay attention to user data security in 
maintaining user loyalty in using the application [9]. With the advancement of information technology 
development, the government is required to make innovations that realize the participation of its citizens in 
supporting the open government. In addition, many reasons need the government to transform information 
technology (IT) services, such as cutting the budget, increasing productivity without increasing the budget, 
and increasing the quality of products and services [10]. 

The citizen service complaint application is an application developed to make it easier for citizens to 
make complaints about any service discrepancies they receive from the government [11]. The data consumed 
in this application is of course very sensitive considering that to guarantee a valid pair of data required such 
as ID number, name, location, and phone number of the user. Based on these researchers then perform 
security design on the application by applying threat modeling in the application development process. 

As an important part of application security, threat modeling has become widespread in application 
development and system evaluation [12]. This study presents a review of threat modeling in a security case 
study for a public service complaint application that the researcher will build. The purpose of this work is to 
make it easier for researchers and other practitioners to get an idea of how threat modeling is applied to 
application development with security in mind, as well as find possible directions for further research. 

According to research [13], the solution to the problem to assist citizens in submitting a report to the 
government is to build an effective and efficient application to improve government services and 
performance (good governance). However, in developing applications that are related to government and 
require sensitive citizen data. User data security must be the main focus that urgently needs to be considered 
in the heterogeneous and interrelated application architecture between services [14]. 

Threat modeling is now a growing trend and much discussed in the cybersecurity domain because it 
can help in several aspects to make the system more secure from a cyber threat [15]. From research [12] 
which describes and discusses various theories about threat modeling, interpreting threat modeling as a first 
step can be useful for exploring potential attacks from hackers. Similarly, threat modeling provides a 
structured way to secure a software design, which involves understanding the objectives of the adversary in 
attacking the system based on the assets present in the system. 

Threat modeling is best used early in the development cycle. This means potential problems can be 
caught early and fixed and can prevent much more expensive app fixes from happening. Thinking about 
security requirements with threat modeling can lead to proactive architectural decisions that enable threat 
reduction from the outset [16]. 

Several methodologies can be used in threat modeling, one of which is the spoofing, tampering, 
repudiation, information disclosure, denial of service and elevation of privilege (STRIDE) [17]. STRIDE is a 
threat modeling classification developed by Microsoft. STRIDE is an acronym that contains the following 
concepts, namely spoofing, tampering, repudiation, information disclosure, denial of service, and elevation 
[18]. Our main goal in this study was to identify and categorize threats to a public service complaint 
application from an attacker's point of view, and the STRIDE model fits this goal. 

Threat modeling methodologies, such as STRIDE, start with data flow diagrams (DFD) [15], which 
are system-level abstractions representing external entities that interact with systems, processes, data flows, 
and data stores. Based on the DFD, systematic iteration of all the model elements will produce potential 
security threats that need to be assessed. In the next step, these threats are documented and prioritized and 
further guide the process of determining appropriate security solutions to mitigate them [19]. 
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2. RESEARCH METHOD 

In this study, researchers used a threat modeling process formulated by the open web application 
security project (OWASP) organization [20]. The steps taken are to describe application information, 
determine and rank threats, countermeasures, and mitigation. From the final results of this research, it will be 
used as a security guide in developing applications. 
a) Describing application information 

The first step in the threat modeling process is concerned with gaining an understanding of the 
application and how it interacts with external entities. The information from the application is written as the 
result of the document and is also used to describe the data flow diagram (DFD) of the application being 
analyzed. The DFD shows the different steps traversed through the system and describes the boundaries of 
access rights. 
b) Threats ranking 

It is essential to identify threats by applying a threat modeling methodology. Threat classification 
like STRIDE may be used to define threat categories such as exception management, configuration 
management, auditing and logging, data validation, authentication, authorization also data protection in 
storage and transit. The purpose of threat classification is to help identify threats using (STRIDE). The DFD 
generated in the previous step helps identify potential threat targets from the hacker's side of view, such as 
data flows, interactions with users, data sources, and processes. Use and abuse cases can illustrate how 
Threats can easily bypass existing protective measures or where such protection is not in place [21]. 
c) Countermeasures and mitigation 

Vulnerabilities can be reduced by implementing countermeasures [22]. These countermeasures can be 
recognized using a list of threat countermeasures mapping. Once a risk rating has been set to threats in the 
previous step, it is still possible to prioritize mitigation efforts and rank threats known from highest to lowest 
risk. 

A risk mitigation strategy may cover evaluating the threat from the resulting business model impact 

[23]. When the possible impact is discovered, options for addressing risks are identified and include: 
— Accept: determine whether the impact on the business is acceptable or not. 
— Eliminate: remove components that might cause security vulnerabilities. 
— Mitigation: adding checks and controls that reduce the impact of risks or possible causes. 


3. RESULTS AND DISCUSSION 

In this section, the results of the methodological steps that have been carried out in the previous 
chapter are presented. The results section begins with the threat model information which contains basic 
application information. Then it ends with the STRIDE Threat and mitigation stage which is the final result 
of this research. 
a) Threat model information 

The first step is to develop a threat model information. This information is in the form of basic 
information about the application to be tested. The following is the threat model information obtained in the 
first step shown in Table 1. 


Table 1. Threat model information 


App Name PDAM Service 
App Version 1.00.a 
Description This application is a means intended for customers and non-customers to report 


disturbances or complaints related to services through the Android application. Users are 
required to have an account and then log in first to report and change their profiles. 
Agus Teddyana 


Asep Subandri 
Document Owner Fajar Ratnawati 
Participant 
Reviewer 


The Table 1 shows several indicators in the table, namely application name, which contains the name 
of the application to be checked; application version, which is an application; a description which includes an 
application’s high-level description, then owner of the document, participants, and reviewer respectively. 
Each contains the name of the owner of the threat model document. The participants who took part in the 
threat model process on the application, and the name of the reviewer of the threat model. 


Indonesian J Elec Eng & Comp Sci, Vol. 28, No. 2, November 2022: 1020-1027 


Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 O 1023 


b) External dependencies 

External dependencies are components outside the application code that can make a threat happen to 
the application [24]. These components may be not in the control of the development team but usually still 
within the control of the organization. The following are external dependencies that exist in the application 
shown in Table 2. 


Table 2. External dependencies 

ID Description 

1 The application is mobile based, but data exchange requires a REST API and is run in a shared hosting environment 
with the Apache webserver. Hosting management using the latest Cpanel system with support for security patches. 

2 The database server uses PostgreSQL running in a shared hosting environment. Database management using the 
latest Cpanel system with support for the latest security patches. 

3 The connection between the database server and the webserver is on the same hosting, in this case, on the private 
network hosting itself. 


c) Entry points 

The entry point defines the interface through which a potential attacker can exploit the application or 
supply it with data. The entry point in the application can consist of several layers. As an example, each state 
in a mobile application may consist of many entry points. The following entry points are shown in Table 3. 


Table 3. Entry points 


ID Name Description Trust Level 

1 HTTPS Port Data exchange using REST API via Transport Layer Security (TLS). All Login User 
pages in the application are layered at these entry points. Unlogin User 

2 Login Page The login form appears when the user has not logged in for the first time | Unlogin User 
running the application. 

3 Login Functional The connection between the login functional receives the login data from the | Unlogin User 
user and compares it with the credential saved in the database server. 

4 Homepage The main page appears only for logged-in users. Login User 


d) Trust levels 

The trust level represents an application's permissions to an external entity. This makes it possible to 
define the required privileges or permissions at each entry point on the application. The following trust levels 
are shown in Table 4. 


Table 4. Trust levels 


ID Name Description 
1 Login User Users who are already connected to the application and have logged in with valid credential information. 
2 Unlogin User Users who are already connected to the application but have not logged in. 


e) Data flow diagram 

All the information that has been collected in the previous stages is then modeled accurately using 
data flow diagrams (DFD). DFD provides benefits for researchers to gain an understanding of the application 
by providing data visually about how the data is processed according to which flow from the user to the 
application. The following DFD is shown in Figure 1. 

The focus of DFD is on how data moves through the application and what happens to the data as it 
progresses. DFD has a hierarchical structure, so DFD can use it to decompose applications. The high level of 
DFD helps researchers to better explain the scope of the application model. Low-level iteration will help in 
focusing on the explicit processes get involved when doing works on certain data. 

From Figure 1, the DFD is described in the complaint service application. The data flow starts from 
the user requesting data from the application until the mobile app gives the response it gets from the database 
file. The data that the first-time user wants to obtain must be requested first using a mobile application. There 
are boundaries between users and mobile applications, separating their data flows. The mobile application 
will first display local assets to the user as an interface. 
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To call the data that the user wants, the application then requests the database server through the 
REST API. Between the application and the database server, there is also a limit. The database server then 
asks the intended database table to be returned to the user through the application first. 
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Figure 1. DFD of application 


f) STRIDE 

Threat methodology such as STRIDE in this study is useful in identifying threats by grouping the 
target [25]. Threat lists obtained based on the STRIDE model are useful in identifying threats based on the 
hacker's goals for example, the danger is using someone's identification number during registration. Will the 
attacker do social engineering on certain people to get that identification number? Another example, if the 
threat scenario is to make continuous requests to the REST API endpoint, will the attacker use bots and 
specific methods to carry out the attack? A list of threats list that known using STRIDE is provided in Table 5. 


Table 5. STRIDE threat list 


Type Description Data Flow 
Spoofing Can register using someone else's ID Number. User data request 
Tampering User data can be stolen by attackers if using a public network. User data request 
Repudiation Users use fake addresses to report complaints. User data request 
Information Users snooping due to man-in-the-middle attacks. User data request 
Denial of service Users make requests continuously on the provided form. User data request 
Elevation of privilege The attacker steals using the user's internal data on the application and User data request 

uses the token on that data to take over the user's account. 
Spoofing The attacker uses another user's API key to access that user's data. REST API data Request 
Denial of service Attackers know REST API endpoints and make requests continuously. REST API data Request 


From the threat in Table 5, it can be seen that the types of attacks that appear more often than other 
types of attacks are spoofing and denial of service. With data flow through user data requests and REST API 
data requests. From this, researchers can gain new insights regarding which vulnerabilities should be secured. 
g) Use and abuse case 

Once common vulnerabilities, attacks, and threats have been assessed, have been evaluated, threat 
analysis that becomes more focused should consider abuse cases and use cases. By further learning of usage 
scenarios, vulnerabilities can be recognized and become aware of other threats. Cases of abuse should also be 
recognized. This abuse case can describe how existing security and prevention measures can be bypassed by 
attackers, whether there is security in the system. A use and misuse case of the application is shown in Figure 2. 
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Figure 2. Use and misuse case 


h) STRIDE threat and mitigation 

The goal of identifying countermeasures is to decide whether there are some types of protective 
measures such as policies or security controls that might prevent. Vulnerabilities are threats that do not have 
protective measures. Once hazards have been appropriately classified using STRIDE, it is undoubtedly 
possible to hunt countermeasures that fit a given type. Table 6 is used to determine the method that 
researchers can use to reduce threats when utilizing the STRIDE methodology. 


Table 6. Threat and mitigation technique 


Threat Type Mitigation Technique 
Spoofing 1. Doing double validation when registering an account. 
2. Enforce expiration time on REST API tokens. 
Tampering 1. Using TLS in the form of HTTPS when transferring data. A system with support for security patches. 
Repudiation 2. Shows a warning when the application is opened and when running is running Fake GPS or the like. 
Denial of service 1. Provide a captcha if the user is indicated to have made a spam request. 
2. Limiting the number of API requests that a user can make in a specific period. 
Elevation of privilege 1. Limits the number of devices a user can use in each session. 


Once threats and appropriate countermeasures are identified, a threat profile can be created 

according to the following standard: 

1. Unmitigated threats: Threats that do not have countermeasures and show a vulnerability that allows to 
be fully exploited and have a severe effect on the application. 

2. Partially mitigated threats: Threats that can be handled by one or more than one countermeasure also 
causes a limited impact and can only be partially exploited. 

3. Fully mitigated threats: Threats that have an initial preventive measure and do not indicate a 
vulnerability. 


4. CONCLUSION 

Here are three reasons why data security/data security is essential. The first is to prevent potential 
material loss. The second is to reduce the risk of data/information. The last is to minimize the chances of 
criminal activity, The technology used in digital implementation must comply with world-recognized 
security standards. Don't just for the sake of saving costs; you must sacrifice company assets that are not 
worth the price. 
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Threat modeling creates a cloud of code in the process of review. Using threat modeling in the early 
phase of the software development life cycle process is very helpful in ensuring that software is developed 
with adequate security based on threat mitigation from the beginning. This study analyzes potential security 
threats for service complaint applications. It suggests several mitigation strategies to reduce the risk of 
identified threats through threat modeling analysis that has been widely used in information security. We 
propose several practical defense strategies to mitigate the identified threats based on the threat analysis 
results. In the following research, we will simulate the attacks that have been analyzed against the application 
system to show whether the threat modeling implementation has been successfully implemented. 
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